Key

This line was added.

This line was removed.

Formatting was changed.

...

Identify Data Types - It is critical that you evaluate the types of data you will be storing, transmitting, or manipulating on your self-managed system. If this involves any critical or restricted sensitive data, you MUST get prior approval before proceeding. Please see Sensitive Data Policies and Email Encryption and let us know before proceeding if you will need to store, transmit, or manipulate any sensitive data.

OS Version Selection - There are various versions of Ubuntu available and we strongly recommend selecting a Long-Term Support (LTS) version of Ubuntu. This way your version of the OS will get security patches for as long a possible without having to make a major OS version upgrade. You can run the ubuntu-support-status command to see the status of the system and end of support dates.

Automatic Security Updates - During the installation of Ubuntu, you will be asked if you want automated updates. You must select the option to apply security updates automatically. If you did not select this option during the initial installation, please enable it per the Ubuntu Automatic Updates Documentation. You can run "debconf-show unattended-upgrades" to see if the automatic updates are enabled and you can reconfigure it with "dpkg-reconfigure -plow unattended-upgrades". Note that you can check for available security updates and install them with:

See the apt-get man page for details on the various commands and exactly what they do.

Account Passwords - To be in compliance with IU policy, all account passwords must comply with the IU Passphrase Guidelines, including the 15 character minimum length. This includes the initial account you set up at install time and any other accounts you might add after the installation. In addition, account passwords must be changed no less frequently than every 2 years to be in compliance with IU policy. One good way to say in compliance with password guidelines is to set the system up so it uses the IU passphrase for account authentication. This is simple to do by just installing these packages:

Code Block

sudo apt-get install heimdal-clients libpam-heimdal

When promoted for the kerberos domain, enter "ADS.IU.EDU".

Admin Access - Normal day-to-day usage of the system must be done using non-privileged (ie. non-root) accounts. When elevated privileges are needed, sudo will be use. This is the default mode of operation in Ubuntu so should not be a problem. However, you are discouraged from routinely doing something like "sudo bash" to get a root shell when you can just run individual commands via sudo.

Encryption Requirements - Any service that requires logins over the network must be encrypted. So, for example, you must use ssh and sftp and not something like ftp that sends login information in cleartext. This also includes web applications that require login access so such sites must use https/SSL.

Firewall Implementation - One of the most important security mechanisms is the implementation of a proper firewall. In the linux world, that will likely be either iptables or firewalld. Here is the process of setting up iptables with Ubuntu 14.04 LTS:

Code Block

Step 1: Set up the iptables rules
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -P INPUT DROP
NOTE: This assumes the only port you want exposed on the network is port 22 (ssh).
If you want additional ports open, add them like above for port 22.
Just be sure to add them BEFORE the final DROP line.
Step 2: Install iptables-persistent to manage things and save the config
sudo apt-get update
sudo apt-get install iptables-persistent
NOTE: Rules will be saved to /etc/iptables/rules.v4 during install
Step 3: If you make any further changes to the rules, save them out with:
14.04: sudo /etc/init.d/iptables-persistent save
16.04: sudo netfilter-persistent save
Example: Here is an example of how to add a new rule and save it out after iptables is already set up on 16.04:
# Open up port 1234 by inserting the rule into the chain
sudo iptables -I INPUT 3 -p tcp --dport 1234 -j ACCEPT
# If you wanted to open up port 1234 to only the host with IP address 1.2.3.4 you could do that with:
sudo iptables -I INPUT 3 -s 1.2.3.4 -p tcp --dport 1234 -j ACCEPT
# Verify that the rule looks good and is in the right place
sudo iptables -v -L --line-numbers
# Save it out
sudo netfilter-persistent save

Disable Remote Root SSH Logins - You want to be sure that root logins are not allowed via remote ssh connections. You can ensure this is the case by making sure you have the line PermitRootLogin no in the sshd config files (/etc/ssh/sshd_config).

Remove or Disable mDNS/avahi-daemon - You should ensure that avahi-daemon is not running and providing mDNS services. This is almost certainly not needed on the IU network and can leave the system open to abuse. You can just remove the avahi-daemon package entirely (preferred) or disable it as follows:

Securing Services - You may need to run a variety of services on the system, including web and database servers. It is recommended that you limit networked services as much as possible and use IU and SoIC servers if at all possible. Furthermore, if you do run such services it is best to limit their exposure on the network if they are only needed locally on the system. For example, a database server (like mysqld or mongod) that is used by a web server running on the same system need not be exposed on the network. We can't list every single service you may need to run but do have some specific recommendations for some common services in use within the school:

mongodb - Mongodb is one of the most commonly misconfigured database applications. You are strongly encouraged not to expose this service on the network by using the bind_ip=127.0.0.1 setting in your mongo config file. If you do modify that so it is exposed on the network, you MUST enable authentication with auth=true in your config. There are additional guidelines for securing mongodb in the MongoDB Security Checklist.

mysqld/mariadb - As with all other services, it is best not to expose them on the network, if possible. By default, most mysql installations will allow remote access by default but you should disable this if not needed. This can be done by adding the line bind-address=127.0.0.1 to the [mysqld] section of the configuration file (usually /etc/my.cnf) and restarting the service. Most mysql installations also come with a script mysql_secure_installation that you should run to perform some basic security measures like setting a root password, removing default accounts and/or tables, and preventing remote root access.

postfix - In the vast majority of cases, you will want to configure the postfix email server to allow only local connection so you can send email. It is very unlikely that you will want to allow remote email connections so you should edit the /etc/postfix/main.cf configuration file and make sure you are using inet_interfaces=localhost.

apache - The apache web server is very popular and here are some basic configuration suggestions for making your installation more secure. This list is in no way exhaustive and there are lots of ways you can make your installation insecure. For that reason, you are encouraged to use central IU and SoIC web services if at all possible.

SSL - If your site supports https/SSL you should disable SSLv1, SSLv2, and TLSv1 (aka. TLSv1.0) and only support TLSv1.1 and later. The following SSL configuration parameters are recommended:

Directory Indexes - You should disable any automatics directory indexing that is not explicitly needed. To do that, look for any "Options" lines in your config files and remove the "Indexes" options from all of them that are not needed. In general, allowing directory indexes is a bad idea since you may inadvertently expose files you don't mean to expose.

nginx - Nginx is another web server that is widely used and here are some configuration tips. As with apache, there are lots of ways you can make your installation insecure. For that reason, you are encouraged to use central IU and SoIC web services if at all possible.

SSL - If your site supports https/SSL you should disable SSLv1, SSLv2, and TLSv1 (aka. TLSv1.0) and only support TLSv1.1 and later. This can be done with the config option "ssl_protocols TLSv1.1 TLSv1.2;". You should also review the other security recommendations for SSL at Strong SSL Security on nginx.

SSL - If your site supports https/SSL, you should disable SSLv1, SSLv2, and TLSv1 (aka. TLSv1.0) and only support TLSv1.1 and later. There are different ways of doing this depending on the connector type you are using, but when using JSSE connectors you can use the following in the HTTPS connector configuration in the server.xml:

Code Block

sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"

Manager App - Most tomcat installations will have a Manager App accessible via a url like http://host:port/manager/html or http://host:port/manager/. Be sure to change the default password if this is enabled. Look for a file named tomcat_users.xml and modify the default usernames and passwords there. Look for both the admin and manager accounts and be sure to change both.

System Logging - IU has specific logging requirements for all servers operating on the IU network per IT Policy IT-12. If your Ubuntu system is operating as a server on the IU network (eg. web, database, etc), you need to set up logging as follows:

This will log all failed file access attempts as well as both failed and successful logins. On a system with sensitive data, you must also log all successful file accessesso please let us know and we can help set . For example, if you were storing sensitive data in /home/goodies then you would add the following to the above auditd rules:

Splunkforwarder - The auditd data should be forwarded to the IU Log-Alert service using Splunkforwarder. This prevents possible tampering with the data that resides local to the system. The installation is done via an installer script that we can provide Please let us know and we can help you set this upprovide the installer script and packages.

Account Maintenance - You will need to review all user accounts on the system monthly and purge any accounts that are no longer needed.

OS Patch Maintenance - As noted above, you are required to configure the system so that security updates are installed automatically. However, you are encouraged to install other maintenance updates on a regular schedule.

Security Vulnerability Scans - All systems on the SoIC networks will be automatically scanned using an external security scanner monthly. We will contact you to resolve any vulnerabilities that show up for your system and we expect that you will work promptly to resolve all reported issues.